[Cerowrt-devel] [Dnsmasq-discuss] DNSSEC and www.ietf.org
kevin at darbyshire-bryant.me.uk
Sat Apr 11 15:13:53 EDT 2015
On 11/04/2015 17:49, Dave Taht wrote:
> Openwrt chaos calmer trunk (latest) as of a day ago has dnsmasq 2.73rc4
> with suitable handling for DNSSEC. Certainly I've DNSSEC enabled and
> can browse the site you mention without obvious problem.
> I stand corrected.
> I still would really like people to pound dnsmasq flat with
> namebench or other dns stress tests (anyone know of any? dig in a loop
> would also help), using a native ipv6 dns server upstream. It used to
> take days to trigger the bug. It may only happen on networks that have
> issues with edns0.
>> The automatic determination of 'valid current time' and hence checking
>> signature timestamps has an issue: The startup script uses 'touch -t
>> 1970epoch timestampfile' to pre-create a timestamp file which slightly
>> defeats the inbuilt dnsmasq logic...not helped by the fact '-t' is an
>> invalid option.
> Well, it was a more elegant solution that dnsmasq ultimately came up
> with than what was in cerowrt, and I figure that single character fix
> is a single bug report to openwrt and patch away... if someone else
> not getting on a plane makes it.
I shall log a ticket within 48 hours, (if it doesn't get spotted and
squashed by someone else) It's not just a case of not using '-t' but
rather of not trying to defeat the internal dnsmasq logic whilst fitting
in with the requirement of being able to create a file as 'nobody' in a
directory with a) suitable permissions and b) survives reboots, and
dealing with the new secure computing changes related to procd walled
gardens. There are a few things pulling in opposite directions most of
which I've no clue :-)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4791 bytes
Desc: S/MIME Cryptographic Signature
More information about the Cerowrt-devel